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Preface 


Welcome to Qualys Cloud Platform! In this guide, we'll show you how to use the Qualys 
integration with CyberArk Application Identity Manager (AIM) for credential management. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical security 
intelligence on demand and automating the full spectrum of auditing, compliance and 
protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed service 
providers and consulting organizations including Accenture, BT, Cognizant Technology 
Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, 
SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding 
member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your questions 
will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. 
Access support information at www.qualys.com/support/ 
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Overview 


The Qualys Cloud Based Platform provides an easy way to continuously discover and secure all 
your global IT assets. With Qualys Cloud Platform you get a single view of your security, 
compliance and IT posture all in one place - in real time. Qualys Cloud Suite includes a suite of 
security and compliance applications, built on top of the Qualys Cloud Platform infrastructure 
and services. 


Qualys delivers frequent product updates with new features and improvements leveraging its 
cloud based infrastructure and services. Click here for the latest Release Notes. 


Key Benefits 


Using Qualys integration with CyberArk Application Identity Manager, credentials management 
is simplified as customers no longer need to store and manage their passwords, private keys and 
certificates within Qualys to perform authenticated scans. This significantly reduces the 
complexity of credential management because credentials are centrally managed in the 
CyberArk solution. Organizations can automatically rotate passwords, private keys and 
certificates based on their security policy, eliminating the need to manually update credentials 
within the Qualys platform. Further, running credentialed-protected scans yield deeper, more 
accurate scan results. 


Simplified privileged credential management and improved compliance 


Internal policies and many regulatory requirements such as those in PCI, SOX, and HIPAA, 
require full accountability and traceability of all credential use. By storing privileged credentials 
used by Qualys Vulnerability and Compliance Scanning solution in CyberArk, organizations 
increase security and can enforce their security policies by automating credential rotation, 
centrally storing and managing credentials, and fully auditing credential use. Centralized 
management also makes it easier to update credentials, significantly reducing the potential for 
human error that can occur when manually maintaining credentials in the Qualys platform. 


Facilitates secure scanning, Resulting in better discovery and prioritization 


When a trusted scan is performed for vulnerability or compliance assessment, the Qualys 
scanner logs into the target machine and reads configuration data such as registry values, 
configuration files/settings, and software inventory details. Qualys uses the configuration data to 
verify vulnerabilities and make sure configuration settings meet minimum required standards. 
By leveraging CyberArk automated credential rotation capabilities, which updates and 
synchronizes privileged account credentials at based on policy, there is never a fear of the 
Qualys scanner re-using unprotected credentials. This significantly improves security and 
facilitates wider adoption of credentialed scanning. By leveraging Qualys - CyberArk integration, 
customers get a better picture of the true state of compliance and vulnerabilities with the added 
depth of scanning across even the largest environments. 
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Qualys Integration - How it Works 


HOW IT WORKS: BEFORE LAUNCHING THE SCAN 


(1) User configures the CyberArk solution according to their 
policies and sets up credentials 
Qualys Secure 
Operations Center 
(SOC) 


(2) User configures Qualys to use CyberArk integration by 
configuring Authentication 


LAUNCHING THE SCAN 


(3) User launches a trusted scan from Qualys 


si 


RS] 9+ 


Qualys CyberArk 
Scanner AIM 


Server 
(Scan Target) oO The Qualys Scanner Appliance (SA) queries the Central 
Credential Provider (part of CyberArk Application Identity 
Manager) for secure credentials retrieval from CyberArk 


Digital Vault 


O The SA scans the target using the credentials (Windows 


Figure 1: Workflow of the integration between Qualys and Unix) 


and CyberArk Application Identity Manager™ 


O Audit/control/policy enforcement using CyberArk 
Application Identity Manager 


Credential Retrieval 


The user launches an authenticated scan on a target machine and the authentication record for 
the target specifies the CyberArk AIM vault. The service sends a request to the scanner appliance 
with the CyberArk AIM CCP safe information (application ID, safe name and URL) defined by the 
customer in the vault record. The appliance uses this information, along with information from 
the authentication record, to request sensitive information from the vault - the password for a 
given user name, the private key and/or private key passphrase for a given certificate, the 
password for root delegation. The information requested depends on the host technology and 
authentication record settings. 


The appliance uses the information retrieved from the vault to log into the target machine and 
perform the trusted scan. After performing the scan, the scanner appliance deletes every trace of 
the password and/or private key, and sends the scan results to the Qualys Cloud Platform and 
these results are available in the user's Qualys account. 


How is the integration secured? 


It's secured by IP address. The Qualys Application ID configuration Allowed Machines option 
needs to include IP addresses of the Qualys scanners. 
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AIM Installation & Configuration 


Refer to “Credential Provider and ASCP Implementation Guide” for CyberArk Credential Provider 
installation. There are no specific steps for configuring AIM Provider with Qualys. 


Defining the Application ID (APPID) and Authentication Details 


To define the Application, here are the instructions to define it manually via CyberArk's PVWA 
(Password Vault Web Access) Interface: 


1) Logged in as user allowed to managed applications (1t requires Manage Users authorization), in 
the Applications tab, click Add Application; the Add Application page appears. 


Qualys does not have a pre-defined APP ID that the customer must use. One example for 
defining the Application ID for Qualys scanning would be Qualys-Scanner-AppID. 


Add Application x 


Name: Qualys-Scanner-AppiD 


Description: 
dis Authorize Qualys scanners to access 


CyberArk AIM vault 


2) Specify the following information: 


n the Name field, enter the unique name (ID) of the application. 
For Qualys, APP ID = Qualys-Scanner-AppID 


n the Description field, enter a short description of the application that will help you identify it. 
n the Business owner section, specify contact info about the application’s Business owner. 
n the lowest section, specify the Location of the application in the Vault hierarchy. If a Location 


is not selected, the application will be added in the same Location as the user who is creating 
this application. 
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3) Click Add. The application is added and is displayed in the Application Details page. 


POLICIES ACCOUNTS MONITORING APPLICATIONS ADMINISTRATION 


[pack [Z edit Tu Delete [$ add Application [4 Add/Update Applications El Customize 
Application Details: PartnerAppID 
Application Id: PartnerAppID Authentication | Allowed Machines 
Description: [E asa = 
Business Owner: Extended Info 
Business Owner's Phone: 
Business Owner's Email: 
Location: \ 
Access Permitted: None 
Expiration Date: None 
Disabled: No 
Page 1of1 2 No authentications to display 
O Allow extended authentication restrictions. This requires Provider /s upgrade for this application. 
[T Use credential file authentication 


4) Please check the box “Allow extended authentication restrictions”. This enables you to specify 
an unlimited number of machines and Windows domain OS users for a single application. 


5) Go to the Allowed Machines tab to set up an Allowed Machines vault configuration with the IP 
addresses of Qualys scanners. This enables the Credential Provider to make sure that only 
applications that run from specified machines can access their passwords. (Note that Qualys 
does not support OS user, Path or Hash authentication.) 


Add only the Qualys scanners when defining Allowed Machines. Log into the Qualys UI and go to 
Help > About to see IP addresses for the Qualys external scanners. Go to Scans > Appliances to 
get information about the scanner appliances installed in your subscription. 


In the Allowed Machines tab, click Add. The Add allowed machine window appears. 


| Add allowed machine x | 


Address: 


Enter IP/host name/DNS 


O 
ro) 
= 
o 
2 


Add 


Specify the IP/hostname/DNS of the machine where the application will run and will request 
passwords, then click Add. The IP address is listed in the Allowed Machines tab. 


Make sure the servers allowed include all mid-tier servers or all endpoints where the AIM 
Credential Providers were installed. 
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Provisioning Accounts and Setting Permissions for Application Access 


For the application to perform its functionality or tasks, the application must have access to 
particular existing accounts, or new accounts to be provisioned in CyberArk Vault (Step 1). Once 
the accounts are managed by CyberArk, make sure to setup the access to both the application 
and CyberArk Application Password Providers serving the Application (Step 2). 


1) In the Password Safe, provision the privileged accounts that will be required by the 
application. You can do this in either of the following ways: 
- Manually: Add accounts manually one at a time, and specify all the account details. 


- Automatically: Add multiple accounts automatically using the Password Upload feature. 
For this step, you require the “Add accounts” authorization in the Password Safe. 


For more information about adding and managing privileged accounts, refer to the Privileged 
Account Security Implementation Guide. 


2) Add the Credential Provider and application users as members of the Password Safes where 
the application passwords are stored. This can either be done manually in the Safes tab, or by 
specifying the Safe names in the CSV file for adding multiple applications. 


Add the Provider user as a Safe Member with the following authorizations: 
- List accounts 


- Retrieve accounts 
- View Safe Members 


Note: When installing multiple Providers for this integration, it is recommended to create a 
group for them, and add the group to the Safe once with the above authorization. 


Add Safe Member 
Search: Search In: [Vaut +] Search _ 


Selected Search: Vault 


Name Business Email Full Name 


[7 Access El 


[T Use accounts 
[7 Retrieve accounts 
[¥ List accounts 
[T Account Management 
[O safe Management 
E Monitor 
E View Audit log 
[Y View Safe Members El 


Add | Close 
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Add the application (the APPID) as a Safe Member with the following authorizations: 


- Retrieve accounts 


Add Safe Member 
Search: Search In: Vault = Search 


Selected Search: Vault 


Name Business Email Full Name 


[7 Access E 


FT Use accounts 
[Z Retrieve accounts 
[C List accounts 
TT Account Management 
TT safe Management 


TF Montor 


[T View Audit log 
[T View Safe Members El 


Add Close 


If your environment is configured for dual control 


In PIM-PSM environments (v7.2 and lower), if the Safe is configured to require confirmation from 
authorized users before passwords can be retrieved, give the Provider user and the application 
the following permission: - Access Safe without Confirmation 


In Privileged Account Security solutions (v8.0 and higher), when working with dual control, the 
Provider user can always access without confirmation, thus, it is not necessary to set this 
permission. 


If the Safe is configured for object level access 


Make sure that both the Provider user and the application have access to the password(s) to 
retrieve. For more information about configuring Safe Members, refer to the Privileged Account 
Security Implementation Guide. 


Qualys Configuration 


Steps for authenticated scanning using CyberArk AlM vaults 


Good to Know - Qualys Cloud Suite implements role based user permissions. The instructions 
below assume you are the subscription owner with the Manager role. For details on user roles 
and permissions you can search for “user roles” in the online help. 


Step 1 - Add IP Addresses to Scan 


Go to Assets > Host Assets to add the IP addresses/ranges you want to scan. We also recommend 
you organize assets into asset groups and/or apply asset tags. This makes it easier to manage 
your assets for scanning and reporting. 
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Asset Groups - Logically group assets by importance, priority, location, ownership, or something 
else - whatever makes sense for your business. Go to Assets > Asset Groups to get started. 


Asset Tags - Automatically discover and organize your assets using tags — this will ensure that 
your scans and reports are always synchronized with your dynamic business environment. Go to 
Qualys AssetView to create and manage tags. 


Step 2 - Configure Scanner Appliances 


Scanner Appliances (physical or virtual) are required to scan devices on internal networks. Go to 
Scans > Appliances to add a new appliance and configure it. Want some help? Just go to Help > 
Online Help and we’ll explain all the options. 


Step 3 - Configure CyberArk AIM vault records 


Go to Scans > Authentication > New > Authentication Vaults. Then choose New > CyberArk AIM. 


Vulnerability Management v 


Dashboard Scans Reports Remediation Assets KnowledgeBase Users 


‘= Scans | Scans Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 


Search. 


Authentication Vaults 


| MER File w 


Operating Systems. 
Network and Security. 


C Type 


| New | Search 1-40f4 uy 


O type CyberArk PIM Suite LS == 
CyberArk AIM 
System Record Templates... > x Quest Vault 
A et CAAccess Control 
Authentication Vaults ef 
Le Hitachi ID PAM 
Download. m e 


el Lieberman ERPM 


> e BeyondTrust PBPS 
Wallix AdminBastion (WAB) 


No records found Applications. 
Databases 


VMware. 


vor vo vv 
] 


HashiCorp 
Azure Key 
CA PAM 

Arcon PAM 


Download 
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Provide vault credentials to securely access sensitive information from your CyberArk AIM 
solution. CyberArk CCP is required. 


New CyberArk AIM Vault Launch Help 
Vault Title 
Title: * My CyberArk AIM Vault 


Vault Credentials 


Provide information to securely access sensitive information from your CyberArk AIM solution. CyberArk CCP is required. 


Application ID: * Qualys-Scan-App-ID 
Safe: * VaultSafeName 
| URL: * https://host.domain/ AIMWebService/v1.1/AIM.asmx | 
[example: https://host domain/AlMWebService/v1.1/AIM.asmx] 
SSL Verify: E 
Certificate 
| | 
Private key: 
Passphrase: 
Comments 
Save Cancel 


Vault Credentials 


Application ID: The application ID name for the CyberArk Central Credential Provider (CCP) web 
services API. The maximum length is 128 bytes and the first 28 characters must be unique. 


- Leading and/or trailing space or periods in the input value will be removed. 


- These restricted words cannot be included: Users, Addresses, Areas, XUserRules, unknown, 
Locations, Safes, Schedule, VaultCategories, Builtin. 


(an 


- These special characters cannot be included: \/:*? "< >| \t \r\n \x1F. 


Safe: The name of the digital password safe (max of 28 characters). 

- Leading and/or trailing space in the input value will be removed. 

- These special characters cannot be included: \/:* ? "< >| \t \r\n \x1F) 

URL: The URL to the CyberArk AIM web service. Choose SSL Verify and we'll verify the server's 


SSL certificate is valid and trusted. The SSL Verify option is available when the URL uses HTTPS. 
Sample URL: https://<host.domain>/AIMWebService/v1.1/AIM.asmx 
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SSL Verify: Qualys scanners will verify the SSL certificate of the web server to make sure the 
certificate is valid and trusted, unless you clear (un-check) the SSL Verify option. You may want 
to clear this option to skip SSL verification if the certificate was not issued by a well-known 
certification authority (CA) or if the certificate is self-signed. 


Certificate / Private Key / Passphrase: The certificate and private key/passphrase are required if 
your server requires a certificate for authentication. Both must be defined together or skipped. 
The certificate stores the base64-encoded client X.509 certificate in PEM format. The private key 
stores base64-encoded client private key that corresponds to the public key stored in the 
certificate. 


Step 4 - Configure authentication records 

Go to Scans > Authentication > New and choose the authentication type you're interested in. 
There are several options to choose from. 

You can request this sensitive information from your CyberArk AIM solution: 

- Login Password (all supported authentication types) 

- Private Key & Private Key Passphrase (Unix, PostgreSQL, MongoDB only) 

- Root Delegation Password (Unix only) 

In the record, you'll provide the name of the Folder and File in the secure digital safe where the 


password to be used for authentication is stored. You'll also add the IP addresses for the hosts 
you want to scan with these credentials. 


Choose Authentication Vault (or Get password from vault: Yes). Then make these selections: 
Vault Type: CyberArk AIM 
Vault Record / Vault Title: Select the vault record you created in the previous step. 


Vault Folder: The vault folder name (169 characters max). Entering a trailing /, as in folder/, is 
optional (when specified, the service removes the trailing / and does not save it in the folder 
name). The maximum length of a folder name plus a file name is 170 characters (the leading 
and/or trailing space in the input value will be removed). These special characters cannot be 
included: /:*?"<>|<tab> 


Vault File: The vault filename (165 characters max). The maximum length of a folder name plus 
a file name is 170 characters (the leading and/or trailing space in the input value will be 
removed). These special characters cannot be included: \/:*?"<>|<tab> 


Using variables in the vault folder or file name 


You can use one or more variables when defining the folder name or file name in order to match 
several targets that use the same naming convention. During the scan, we'll match the variables 
to hosts that are already defined in the vault. 


${ip} // The IP address of the target, i.e. 10.20.30.40. 

${ip_dash} // The IP address of the target with dashes instead of dots, i.e. 10-20-30-40. 
$[dnshost) // The DNS host name of the target, i.e. host.domain. 

${host} // The hostname of the target, i.e. host before .domain. 

${nbhost} // (Windows only) The NetBIOS host name of the target in upper-case, i.e. HOST_ABC. 
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Important - When using variables to gather credentials from a CyberArk AIM vault, be sure the 
scanner appliance used for the scan job has scanner version 11.8 or later. Authentication will fail 
if the scanner appliance has an older version because the scanner will not be able to resolve the 
variables in your authentication record to actual values. Not sure which scanner version is on 
your appliance? Go to the Scans > Appliances list to see the version for each appliance and 
update the version if needed. 


Example: 

Let's say you have these 4 devices in your CyberArk AIM vault: 
centos6-10-50-60-70.foo.bar 

host40-10-20-30-40 

host80-10-50-60-70 

host12-10-30-10-12 


You'll need to create 2 records with the following configuration. 


Record 1: ${dnshost} 
matches centos6-10-50-60-70.foo.bar 


Record 2: ${host}-${ip_dash} 
matches host40-10-20-30-40, host80-10-50-60-70, host12-10-30-10-12 


Sample Windows Record: Get password from vault 


A 
New Windows Record Launch Help i 
> ds | 
pe Login Credentials _ e 
E A > Windows Authentication 
IPs ) Local 
Comments @ Domain 
Domain type: NetBIOS, User-Selected IPs |v 
Domain name: * 
syntax: DOMAIN1 
l 
' Login 
Use the basic login credential or choose to use authentication vault for authenticated scanning. 
» Basic authentication (9) Authentication Vault 
User Name: * quays_sv84 
Vault Type CyberArk AIM 
Vault Title: * Select a vault title... i 
Folder: * 
syntax: Root\Windows 7 


= 


== | 
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Sample Unix Record: Get password from vault 


Private Keys / Certificates 


Root Delegation 
3 Policy Compliance Ports 
M Agentless Tracking 


IPs 


Comments 


New Unix Record 


Turn help tips: On | Off Launch Help 


Authentication 


Provide login credentials to use for authenticated scanning. You have the option to get the login password from a vault available in your 
account 


Username” quays_sv84 
Get password from vault 


Vault Type: CyberArk AIM x 
Vault Record*: Select a vault record... 
Vault Folder”: 


Vault File*: 


cana 


Sample Unix Record: Get private key from vault and Get passphrase from vault 


Set private key / certificate for your Unix record 


Get private key from vault: 

Private Key Vault Type: CyberArk AIM 

Vault Record*: elect a vault record... 
Vault Folder* 

Vault File” 

Get passphrase from vault: 

Vault Username: 

Passphrase Vault Type: CyberArk AIM 

Vault Record* Select a vault re 

Vault Folder": 

Vault File*: 

Certificate Type Select a certificate type... 


Certificate Content 


afee) 
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Sample Unix Record: Get password from vault for Root Delegation 


Set root delegation for your Unix record 


Root Delegation* 


Get password from vault 


Vault Username 

Vault Type: CyberArk AIM 

Vault Record* Select a vault record 
l Vault Folder” 


Vault File” 


Step 5 - Enable authentication for VM scans 


Go to VM > Scans > Option Profiles. Create a new option profile or edit an existing one, go to the 
Scan settings, scroll down to Authentication, and select technologies for the hosts you want to 
scan. 


Step 6 - You're ready to scan! 


Go to Scans > New > Scan. Remember online help is always available to help you along the way. 


Viewing scan results: For each scan we report authentication status in the Appendix section of 
the scan results. You’ll see hosts that 1) passed authentication, 2) failed authentication, and 3) 
passed authentication but the login account had insufficient privileges. 


We recommend the Authentication Report: This report tells you the pass/fail status for scanned 
hosts. If authentication failed on a host then we tell you the cause so you can resolve the issue. 


Hosts scanned in VM: 
Go to VM > Reports, select New > Authentication Report and run the report. 


Hosts scanned in PC: 

Go to PC > Reports, select New > Compliance Report > Authentication Report and run the report. 
Note - If host authentication fails during a compliance scan we do not perform any control 
evaluation for the host. 
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Security and Compliance Reporting 


Asset based reports are available in the Reporting section. You can use predefined templates, 
customize them or create your own. Check out the variety of reports available for VM and PC. 


Vulnerability Management y Policy Compliance v 
Dashboard Scans Reports Remediation Assets Dashboard Policies Scans Reports Exceptions 
mili Reports Reports Schedules Templates Ri mili Reports Reports Schedules Policy Summary 
New v || Search | | Filters w new) (|Search (Fitters v 

View Report T Scan Report » Template Based. = [E] view Report T| Compliance Report b Authentication Report late 
Scorecard Report. PCI Scan Template. SCAP Report b Policy Report 
Map Report. PA Interactive Report 
Patch Report Scorecard Report 
Authentication Report Mandate Based Report 
Remediation Report. STIG Based Report 


Compliance Report. 
Asset Search Report 


Download. 


Qualys AssetView gives you a view of all your assets in real time, all in one place. Here you can 
search your asset inventory in seconds to help you prioritize vulnerabilities and compliance 
issues. Asset details tell you about each asset including properties and detection information. 


Credentials for Common Use Cases 


Windows Authentication 


What credentials should | use? 


Use an account with administrator privileges (local administrator or Windows domain 
administrator) for the most accurate security assessment and recommended fixes for your 
system. This allows the scanning engine to collect information based on registry keys, 
administrative file shares (such as C$) and running services. Less than administrator privileges 
limits the scan to fewer checks and the results will not be as complete. 


Are trust relationships supported? 


Yes, we support trust relationships in Windows domain logins. In other words, you can use 
credentials stored on one domain to authenticate to one or more hosts stored on another 
domain when trust relationships are present. This is done by the scan targets automatically, 
using pass-through authentication. 


Tell me about Domain settings 
If you're using a domain account, enter the domain name and select one of these types in the 
Windows record: 


NetBIOS, User-Selected IPs - When selected we'll use NetBIOS to authenticate to IP addresses in 
the domain configuration. You enter IPs in the IPs section of the record. A single authentication 
record may be defined for an entire domain (tree) using this method. 


NetBIOS, Service-Selected IPs - When selected we'll use NetBIOS to authenticate to hosts in the 
domain using credentials stored on the domain. If trust relationships exist and the account's 
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permissions are properly propagated, it’s possible for us to authenticate to hosts which are not 
members of the same domain. 


Active Directory - When selected we'll use an Active Directory forest to authenticate to hosts in 
a certain domain within the framework. You'll need to enter a Fully Qualified Domain Name 
(FODN). If “Follow trust relationships” is selected and trust relationships exist, we'll authenticate 
to hosts in other domains having a trust relationship with the domain you've defined in the 
record. 


Can | create multiple Windows records? 


Yes. You can add as many Windows records as you like. When you have multiple Windows 
records, we'll try to match each target host to one record. Once a match is found we'll use the 
matching record for authenticating to the host, and we'll stop looking for other possible 
matches. 


Record types are evaluated in this order 


1) Records set to NetBIOS, Service-Selected IPs 
2) Records set to NetBIOS, User-Selected IPs 

3) Records set to Local 

4) Records set to Active Directory 


Administrator account vs. another account 


First we'll attempt to match the host to a Windows record with an Administrator account 
following the same order outlined above. If we do match the host to a record with an 
Administrator account, we'll attempt to match the host to a record with another account, 
following the same order. 


Unix Authentication 


What privileges are needed for vulnerability scans? 


The account you provide must be able to perform certain commands like 1) execute “uname” to 
detect the platform for packages, 2) read /etc/redhat-release and execute “rpm” (if the target is 
running Red Hat), and 3) read /etc/debian_version and execute “dpkg” (if the target is running 
Debian). There are many more commands that must be performed. The specific commands used 
for authenticated scanning vary over time as our service is updated. Get a list of commands from 
our Community. 


What privileges are needed for compliance scans? 


In order to evaluate all compliance checks you must provide an account with superuser (root) 
privileges. The compliance scan confirms that full UID=0 access has been granted even if the 
initial SSH access has been granted to a non-root user. Without full UID=0 access, the scan will 
not proceed. Note also the account must be configured with the “sh” or “bash” shell. We support 
use of root delegation tools for systems where remote root login has been disabled for the 
system to be scanned. However, you cannot use a restricted Unix/Linux account by delegating 
specific root level commands to the account specified in the sudoers file or equivalent. A non- 
root account can be used to establish the initial SSH connection but that account must be able to 
execute a “sudo su —“ command (or equivalent) so that account can gain root level (UID=0) 
access for the compliance scan to proceed. 
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Using Root Delegation Tools 


By enabling root delegation you can provide a lower-privileged user account in the record and 
still perform scan tests with the elevated privileges of the superuser (root). We support these 
root delegation tools for authentication: Sudo, Pimsu and PowerBroker. There's an option to get 
the password for root delegation from your CyberArk AIM vault. Tip - If you have multiple root 
delegation tools you can order them in your record, and we'll use them in that order. 


Using Password Authentication 


Under Login Credentials in the record, you can provide a user name and password to be used for 
login, or you can get your password from a vault configured in your account, like your CyberArk 
AIM vault. 


Skip Password - Select this option if your login account does not have a password 


Clear Text Password — The service uses credentials provided in your authentication record for 
remote access to different command line services such as SSH, telnet and rlogin. The Clear Text 
Password setting in your record determines whether your credentials may be transmitted in 
clear text when connecting to services which do not support strong password encryption. For 
more details you can search for “clear text password” in the online help. 


Using Private Keys / Certificates 


You can use any combination of private keys (RSA, DSA, ECDSA, ED25519) and certificates 
(OpenSSH, X.509) for authentication. When you have multiple private keys/certificates you can 
set the order in your record, and we'll use them in that order. 


Private key authentication is supported for SSH2 only. Your private keys can either be 
unencrypted or encrypted with a passphrase. 


You have these options to get key info from a vault: 
- Get private key from vault you've configured 


- Get private key passphrase from vault you've configured 
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